Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
0
Helpful
6
Replies

ASA 8.2 upgrade to 9.x

Go to solution
Ignat Sitnikov
Level 1
Level 1

‎08-04-2014 07:00 AM - edited ‎03-11-2019 09:34 PM

Hello,

So I have a new project upgrading our old 5510 over here to 5515x. 5510 is running 8.2 and 5515x will run 9.x From what I have read I won't be able to easily just copy running config and slap it on a new 5515x. Does anybody know whether Cisco introduced drastic cli config change? What features will most likely need my attention the most? I have never worked with 9.x yet so not sure what changed and what didn't. I hear commands for NATing sort of changed....

 

Thanks,

 

-Ignat

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9

‎08-04-2014 07:16 AM

Hi Ignat,

Yes, NAT has changed since the 8.3+ code.

Please find useful links for your upgrade:

http://www.tunnelsup.com/nat-converter

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
johnlloyd_13
Level 9
Level 9

‎08-04-2014 07:16 AM

Hi Ignat,

Yes, NAT has changed since the 8.3+ code.

Please find useful links for your upgrade:

http://www.tunnelsup.com/nat-converter

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

0 Helpful

Go to solution
Ignat Sitnikov
Level 1
Level 1
In response to johnlloyd_13

‎08-04-2014 07:18 AM

Thank you sir. Did anything else change? I got s2s VPN tunnels, Remote Access, OSPF running on that 5510.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Ignat Sitnikov

‎08-04-2014 07:26 AM

Hi,

AFAIK it's pretty much the same with the exception of Anyconnect and IKEv2 for VPNs.

0 Helpful

Go to solution
Ignat Sitnikov
Level 1
Level 1
In response to johnlloyd_13

‎08-04-2014 07:28 AM

Yeah we don't use anyconnect and I believe all tunnels are IKEv1. This is not too bad I though I will have to reverse engineer the whole thing over the weekends. Thank you sir.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ignat Sitnikov

‎08-04-2014 09:17 AM

The other bit to note are any "outside-in" access-lists. The old code referenced the NATted address for any public facing servers. The new syntax refers instead to the real IP address of the server(s) in the ACL.

It's only an issue if you have some static NAT or PAT and are allowing inbound access.

A few commands (like nat control for example) have been deprecated. If you move in your old config a couple of lines at a time you can watch for errors as the parser reads them and adjust accordingly.

Setup the new unit in an offline lab and you can check out all the syntax errors ahead of time.

0 Helpful

Go to solution
Ignat Sitnikov
Level 1
Level 1
In response to Marvin Rhoads

‎08-04-2014 09:47 AM

Yeah that was the plan. Boot it up of the network and paste line by line to see what it likes and what it doesn't. Hopefully NAT is the only thing I will have to deal with.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card